question

SGCNhan avatar image
0 Votes"
SGCNhan asked SGCNhan commented

How to create automation account in CSP subscription?

Hi everyone,

I have moved EA subscription to CSP subscription. My role is owner this CSP subscription. But in process creating Automation Account, I got error messages:
Azure Run As account (service principal) creation error
An error occurred while creating the Azure Run As account (service principal) for account 'SGC-DF-Automation'.
Error details:
You don't have enough permissions to access service principal needed for the Run as account in the AAD tenant. See https://aka.ms/AARunAsPermissions for more details.

Please support me for resolve this process.
Thanks.
Nhan

azure-cloud-services-extended-support
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered SGCNhan commented

Hi @SGCNhan ,

it looks like you haven't the permission to create the (Azure Run As account (service principal) in the Azure AD.

The role owner on subscription level is not allowed to create or manage users in Azure AD.

The built-in roles of Azure AD you will find here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AndreasBaumgarten ,

So I have to add another user with Application Administrator ?

Thanks & Regards,
Nhan

0 Votes 0 ·

Hi @SGCNhan ,

the user that is used to add the Automation Account needs be in an AAD role to add the RunAs account:
This could be the Global Administrator role (Full Access in AAD) or any other role that is allowed to create a new service principal in AAD (`Application Administrator` should work based on the description of the role`)


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

0 Votes 0 ·
SGCNhan avatar image SGCNhan AndreasBaumgarten ·

Thank you @AndreasBaumgarten. I resolved this as your guide.

0 Votes 0 ·